VDB

CVE-2026-33678

CVE-2026-33678 PUBLISHED CVSS 8.100000381469727 HIGH

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.

EPSS 0.04% · 14.0th percentile

Risk Scores

CVSS v3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.04%
14.0th percentile

Affected Products

VendorProductVersions
code.vikunja.ioapi0, 0, 0
go-vikunjavikunja< 2.2.1, < 2.2.1, *
vikunjavikunja0

Timeline

  • Mar 24, 2026 PoC Published
  • Mar 24, 2026 CVE Published
  • Mar 24, 2026 CVE Updated
  • Mar 24, 2026 PoC Published
  • Mar 25, 2026 EPSS Score
  • Mar 25, 2026 Coalition ESS Score
  • Mar 26, 2026 Security Advisory
  • Mar 30, 2026 PoC Published
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›